SCADA Vulnerabilities & Exposures (SVE)

[SVE-874648910] Digium Asterisk GUI

Date

Type

Platform

Author

EDB-ID

CVE-ID

OSVDB-ID

Download

App

SIS Signature

2017-09-21

Other

Digium

Davy Douhine of RandoriSec reported the vulnerability to ICS-CERT.

N/A

CVE-2017-1400

N/A

N/A

N/A

Source

#
# Digium Asterisk GUI
#
### VULNERABLE VENDOR
Digium
### VULNERABLE PRODUCT
Asterisk GUI
### RESEARCHER
Davy Douhine of RandoriSec reported the vulnerability to ICS-CERT.
### AFFECTED PRODUCTS
The following versions of Asterisk GUI, a framework for configuring graphical user interfaces, are affected:
Asterisk GUI 2.1.0 and prior
### IMPACT
Successful exploitation of this vulnerability could cause an authenticated attacker to execute arbitrary code on the device.
### VULNERABILITY OVERVIEW
IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND ('OS COMMAND INJECTION') CWE-78
An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
CVE-2017-14001 has been assigned to this vulnerability.
A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
### BACKGROUND
Critical Infrastructure Sector(s): Commercial Facilities, Communications, and Critical Manufacturing.
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Alabama, United States
### MITIGATION
Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium's SwitchVox product.

About CRITIFENCE®

CRITIFENCE® provides unique Cyber Security solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems which allow to monitor and control OT network easily and totally passively.

Our Vision

Our vision is a secure and survivable cyber defense methodology of physical processes in Critical Infrastructures, SCADA and Industrial Control Systems.